PolicyDifference: implement policy capabilities diff

Closes #64
2025-02-21 22:46:50 +00:00 · 2016-01-14 18:31:06 -05:00 · 2016-01-14 18:31:06 -05:00 · b64fcea379
commit b64fcea379
parent dbad48a742
6 changed files with 95 additions and 1 deletions
--- a/20
+++ b/20
@ -78,6 +78,9 @@ labeling.add_argument("--netifcon", action="store_true", help="Print netifcon di
 labeling.add_argument("--nodecon", action="store_true", help="Print nodecon differences")
 labeling.add_argument("--portcon", action="store_true", help="Print portcon differences")

+other = parser.add_argument_group("other differences")
+other.add_argument("--polcap", action="store_true", help="Print policy capability differences")
+
 args = parser.parse_args()

 all_differences = not any((args.class_, args.common, args.type_, args.attribute, args.role,
@ -85,7 +88,7 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
                           args.allow, args.neverallow, args.auditallow, args.dontaudit,
                           args.type_trans, args.type_change, args.type_member, args.role_allow,
                           args.role_trans, args.range_trans, args.initialsid, args.genfscon,
-                           args.netifcon, args.nodecon, args.portcon, args.fs_use))
+                           args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap))

 if args.debug:
    logging.basicConfig(level=logging.DEBUG,
@ -902,6 +905,21 @@ try:

            print()

+    if all_differences or args.polcap:
+        if diff.added_polcaps or diff.removed_polcaps or args.polcap:
+            print("Policy Capabilities ({0} Added, {1} Removed)".format(
+                len(diff.added_polcaps), len(diff.removed_polcaps)))
+            if diff.added_polcaps and not args.stats:
+                print("   Added Policy Capabilities: {0}".format(len(diff.added_polcaps)))
+                for n in sorted(diff.added_polcaps):
+                    print("      + {0}".format(n))
+            if diff.removed_polcaps and not args.stats:
+                print("   Removed Policy Capabilities: {0}".format(len(diff.removed_polcaps)))
+                for n in sorted(diff.removed_polcaps):
+                    print("      - {0}".format(n))
+
+            print()
+
 except Exception as err:
    if args.debug:
        import traceback
--- a/setools/diff/init.py
+++ b/setools/diff/init.py
@ -26,6 +26,7 @@ from .mlsrules import MLSRulesDifference
 from .netifcon import NetifconsDifference
 from .nodecon import NodeconsDifference
 from .objclass import ObjClassDifference
+from .polcap import PolCapsDifference
 from .rbacrules import RBACRulesDifference
 from .roles import RolesDifference
 from .terules import TERulesDifference
@ -47,6 +48,7 @@ class PolicyDifference(BooleansDifference,
                       NetifconsDifference,
                       NodeconsDifference,
                       ObjClassDifference,
+                       PolCapsDifference,
                       RBACRulesDifference,
                       RolesDifference,
                       SensitivitiesDifference,
--- a/setools/diff/polcap.py
+++ b/setools/diff/polcap.py
@ -0,0 +1,47 @@
+# Copyright 2016, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+from .descriptors import DiffResultDescriptor
+from .difference import Difference, SymbolWrapper
+
+
+class PolCapsDifference(Difference):
+
+    """Determine the difference in polcaps between two policies."""
+
+    added_polcaps = DiffResultDescriptor("diff_polcaps")
+    removed_polcaps = DiffResultDescriptor("diff_polcaps")
+
+    def diff_polcaps(self):
+        """Generate the difference in polcaps between the policies."""
+
+        self.log.info("Generating policy cap differences from {0.left_policy} to {0.right_policy}".
+                      format(self))
+
+        self.added_polcaps, self.removed_polcaps, _ = self._set_diff(
+            (SymbolWrapper(n) for n in self.left_policy.polcaps()),
+            (SymbolWrapper(n) for n in self.right_policy.polcaps()))
+
+    #
+    # Internal functions
+    #
+    def _reset_diff(self):
+        """Reset diff results on policy changes."""
+        self.log.debug("Resetting policy capability differences")
+        self.added_polcaps = None
+        self.removed_polcaps = None
--- a/tests/diff.py
+++ b/tests/diff.py
@ -1225,6 +1225,17 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
        self.assertEqual("modified_change_level:object_r:system:s2:c1", added_context)
        self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed_context)

+    #
+    # Policy capabilities
+    #
+    def test_added_polcaps(self):
+        """Diff: added polcaps."""
+        self.assertSetEqual(set(["always_check_network"]), self.diff.added_polcaps)
+
+    def test_removed_polcaps(self):
+        """Diff: removed polcaps."""
+        self.assertSetEqual(set(["network_peer_controls"]), self.diff.removed_polcaps)
+

 class PolicyDifferenceTestNoDiff(unittest.TestCase):

@ -1533,3 +1544,11 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
    def test_modified_nodecons(self):
        """NoDiff: no modified nodecons."""
        self.assertFalse(self.diff.modified_nodecons)
+
+    def test_added_polcaps(self):
+        """NoDiff: no added polcaps."""
+        self.assertFalse(self.diff.added_polcaps)
+
+    def test_removed_polcaps(self):
+        """NoDiff: no removed polcaps."""
+        self.assertFalse(self.diff.removed_polcaps)
--- a/tests/diff_left.conf
+++ b/tests/diff_left.conf
@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_

 ################################################################################

+# policycaps
+policycap open_perms;
+policycap network_peer_controls;
+
 #users
 user system roles system level s0 range s0;

--- a/tests/diff_right.conf
+++ b/tests/diff_right.conf
@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_

 ################################################################################

+# policycaps
+policycap open_perms;
+policycap always_check_network;
+
 #users
 user system roles system level s0 range s0;